On Tue, Oct 18, 2022 at 4:01 AM Michal Strnad <[email protected]> wrote: > > Hi. > > We have ceph cluster with a lot of users who use S3 and RBD protocols. > Now we need to give access to one use group with OpenStack, so they run > RGW on their side, but we have to set "ceph caps" for this RGW. In the > documentation for OpenStack is following > > ceph auth get-or-create client.radosgw osd 'allow rwx' mon 'allow rwx' > -o /etc/ceph/ceph.client.radosgw.keyring > > which means full permission. Can we limit the permission somehow so RGW > from OpenStack cannot reach the data of other users? Would it be enough > if RGW has only some swift account?
the radosgw process requires those caps to read and write from the ceph cluster. the S3 and Swift protocols have their own models for access control, separate from these ceph caps. by default, buckets are not shared between rgw users. you can use ACLs or S3 bucket policy to grant access to other users > > I would appreciate any advice. > > Best regards, > Michal Strnad > > _______________________________________________ > ceph-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ ceph-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
